Update on jQuery.com Compromises
Today at 11:15AM EDT, the jQuery Infrastructure team received widespread reports and confirmed a compromise of jquery.com. This attack was aimed at defacing our sites, and did not inject malware like the attack that was reported on September 18th by RiskIQ. We believe that these are separate incidents that may have used the same attack vector.
We took the site down as soon as we realized there was a compromise and cleaned the infected files. We are taking steps to re-secure our servers, upgrade dependencies, and address vulnerabilities.
At no point today have there been reports of malware being distributed from any of our sites, nor has the code of any jQuery libraries on our website or CDN been affected or modified today or during last week’s reported attack. Some of this confusion stems from last week’s attackers having set up a domain name intended to dupe users into thinking it was the official jQuery CDN. Please note that the official domain for jQuery files hosted from our official CDN is code.jquery.com.
There has also been concern that the user accounts of developers and administrators who use jquery.com and the rest of our WordPress sites have somehow been compromised by this attack. However, the only people who have a user account for the WordPress sites affected by these attacks are members of the jQuery team; we do not have any public user registration for any sort of account on any of the affected sites.
We are continuing to actively work on and monitor this situation and will update you as we learn more.
Updates
We have moved http://jquery.com to a new server only running code we trust and are continuing to monitor the situation closely. – September 24, 2014 at 5:07 PM EDT via Twitter
I was one of millions no doubt who came to the site on the 18th. Is it safe to assume that we’re infected? I’ve run scans in both Avast and Malware Bytes that have come up negative. Then again I’m not even sure that anything can be detected considering the nature of the malware.
Same here. I visited jquery.com on Sep. 18th, and although made a thorough scan on my machine, not sure if the infection exists.
Is there a way to ensure this?
We have not heard from any of our users stating that they have been infected by visiting our site on the 18th. That being said, we have no way of knowing whether or not an individual was infected.
To those unsure if they’re infected; check out the incident report RiskIQ put out. Under the Malware Distribution section there’s plenty of indicators of compromise to look for. Files, hash values, phone home addresses, etc.
http://www.riskiq.com/sites/default/files/jQuery%20Incident%20Report%209.18.14.pdf
No infection detected, only general unavailability. Hope this will be solved soon
Regards!
There is no clue about infection on my production. Hope this solve soon.